welcome to the north carolina department of revenue’s ... · the game includes information...

Adobe Captivate Wednesday, November 28, 2018

of 95

Slide 1 - Cover Title

Slide notes Welcome to the North Carolina Department of Revenue’s Information Security and Privacy Awareness Training.


of 95

Slide 2 - Introduction

Slide notes This training module utilizes both voice-over functionality and closed caption access making it accessible with or without audio. NOTE: Some slides that contain interactive content do not include audio. Click the play/pause button to view the training with audio. Click the CC button to view the training with Closed Captions (i.e., no audio). Use the back button to return to a previous slide. Use the forward button to advance to the next slide.


of 95

Slide 3 - Objectives

Slide notes At the conclusion of this training module, you should be able to:

• Explain the importance of Information Security and privacy

• List the Data Classifications at Revenue

• Define Federal Taxpayer Information (FTI) and Federal Regulations

• Describe how Federal Taxpayer Information is used at Revenue

• Identify types of Confidential Data

• Explain State Laws relating to taxpayer information

• Explain Email Best Practices

• Describe Staff Security Responsibilities, and Discuss Facility Security Reminders

After you have viewed this training, you will be required to complete an assessment to demonstrate what you have learned.


of 95

Slide 4 - Definitions

Slide notes Here are some important terms and their definitions. Take a moment to review these terms, as they will be used throughout this training and on the assessment.


of 95

Slide 5 - Data Classifications

Slide notes The data classifications used at Revenue are: Federal Taxpayer information, confidential information, and public information. We will discuss each of these within this training including the different types of confidential information that you may come across while working at DOR. Federal Taxpayer information and confidential information should be protected and handled with care.


of 95

Slide 6 - FTI and Federal Regulations

Slide notes The next section discusses Federal Taxpayer Information and Federal Regulations that are required at Revenue.


of 95


Slide notes What is Federal Taxpayer information or FTI? Federal Taxpayer information is taxpayer information that is received directly from the IRS, and it may include the following: Any information that would identify a taxpayer. This may include their name, social security number, or their address. The nature, source, or amount of their income or salary, payments or receipts. Deductions or exemptions on a tax return, and the assets, liabilities, or net worth of a taxpayer. You might wonder what is included in a Federal Tax Return. A return may include the following: Original and amended tax returns, Tax schedules, Attachments, and Supplements for the tax return.


of 95


Slide notes Within the Internal Revenue Code section 6103, it states that Federal Tax Information may be disclosed to the following: The actual taxpayer of the tax return and return information, The Taxpayer’s designee provided a Power of Attorney has been provided for this person from the taxpayer, State Tax Officials including Revenue staff with a business need to use information for tax administration purposes, Other Persons who are authorized and with a need to know. If you have any questions regarding who you are able to disclose tax information to, please contact your supervisor.


of 95


Slide notes Working together, the Internal Revenue Service and the Department of Revenue share information regarding North Carolina taxpayers. Revenue uses this information to: Update our income tax master files, including taxpayer names, addresses, and dates of death, To identify any persons or companies who did not file (referred to as “non-filing taxpayers”) for North Carolina, And, to identify taxpayers who underreport their income. All of this helps our agency to recover lost revenue due to our State.


of 95

Slide 10 - Did You Know?

Slide notes Did You Know? If you copy Federal Tax Information at all, even from one format to another, it is still considered Federal Tax Information. For example: If a NCDOR staff member generates a report that contains FTI through the use of an application on his/her workstation and then prints out the report, the printed report is also classified as FTI. All copies have the same handling requirements as the original document. Remembering this concept will ensure that all FTI is tracked and logged accordingly per IRS requirement.


of 95

Slide 11a - FTI and Federal Regulations


of 95

Slide 11b - FTI and Federal Regulations


of 95

Slide 12a - IRS Regulations Internal Revenue Codes


of 95

Slide 12b - IRS Regulations Internal Revenue Codes


of 95

Slide 12c - IRS Regulations Internal Revenue Codes


of 95

Slide 12d - IRS Regulations Internal Revenue Codes


of 95

Slide 12e - IRS Regulations Internal Revenue Codes


of 95


Slide notes Did you know: Disclosure restrictions and the penalties apply even after employment with the Agency has ended?


of 95

Slide 14 - IRS Training Videos

Slide notes The following videos provide good information on the protection and handling of FTI data and should be used as a reference.


of 95

Slide 15 - Confidential Data

Slide notes Now, that we have defined Federal Taxpayer Information and Federal Regulations, let’s identify the different types of confidential data that we must protect.


of 95


Slide notes Confidential data requires protection and proper destruction. It is important to first understand what types of data are considered as confidential. Confidential data includes personal identifiable information, which is also referred to as personally identifiable information, Merchant Credit Card Data, State Taxpayer Information, and, User Passwords.


of 95


Slide notes Other types of confidential data include, but are not limited to: Information System Security data (which includes data such as security configuration settings and other data about the security of our systems) Detailed plans and drawings of public buildings and infrastructure facilities, Contract Bids and Contract Bid Proposals that include identified vendor trade secrets, and, Information provided by other state agencies for tax administration purposes.


of 95

Slide 18 - Personal Identifiable Information

Slide notes Personal Identifiable Information is information that includes a person’s first name or their first initial plus their last name in combination with various types of identification numbers. Under the North Carolina P.I.I. law, business’ information is also protected. Because this type of data is classified as “Confidential,” it must be properly handled and protected accordingly. P.I.I. law define the word person as referring to an individual, partnership, corporation, trust, estate, cooperative, association, government, or governmental subdivision or agency, or other entity. An example of P.I.I. could include an individual’s first and last name along with their social security number, or a business name and a tax identification number. Now, let’s discuss what is excluded from P.I.I. Slide 18 - Personal Identifiable Information (continued)


of 95

According to the North Carolina General Statute 75-61, information in a publicly available directory that an individual has voluntarily consented to have publicly disseminated is not considered Personal Identifiable Information. For example, their name, address and telephone number listed in a phone directory. Also, information made lawfully available to the general public from federal, state, or local government records. For example, their name and address, which is legally required to be made publically available and is found on the local property tax web site.


of 95

Slide 19 - PII (Article NCGS 14-113.20)

Slide notes It is important that Staff understand what types of information are considered to be P.I.I. Here is a listing of what Personal Identifiable Information may include under the North Carolina General Statue 14-113.20: Social security or employer taxpayer identification numbers, Driver’s license, state identification card, or passport numbers, Checking and savings account numbers, Credit card and debit numbers, Personal Identification (PIN) code as defined in North Carolina General Statue 14-113.8(6). Digital signatures, electronic identification numbers, electronic mail names, or addresses,

Slide 19 - PII (Article NCGS 14-113.20) (continued)


of 95

Slide notes (continued)

Internet account numbers, or Internet identification names Digital signatures, any other numbers or information that can be used to access a person’s financial resources Biometric data, fingerprints, passwords, and parent’s legal surname prior to marriage.


of 95

Slide 20 - Payment Card Industry (PCI)

Slide notes Let’s discuss some requirements of the Payment Card Industry, which Revenue must adhere to.


of 95

Slide 21a - Payment Card Industry (PCI)


of 95

Slide 21b - Payment Card Industry (PCI)


of 95

Slide 22 - State Laws and Taxpayer Information

Slide notes Now that we have identified the types of confidential data that we protect at Revenue. We will now discuss State Laws and Taxpayer Information.


of 95

Slide 23a - State Laws & Taxpayer Information


of 95

Slide 23b - State Laws & Taxpayer Information


of 95

Slide 23c - State Laws & Taxpayer Information


of 95

Slide 23d - State Laws & Taxpayer Information


of 95

Slide 23e - State Laws & Taxpayer Information


of 95

Slide 24 - Knowledge Check Jeopardy

Slide notes Let’s play Jeopardy! The game includes information covered in this section on State Laws & Regulations. Review the instructions on the game board, then click the start button to begin playing Jeopardy!


of 95

Slide 25 - Staff Security Responsibilities

Slide notes Now, that we have explained state laws relating to taxpayer information; let’s describe the security responsibilities for all of our staff.


of 95


Slide notes The security of data, as well as the safety of agency staff members, is the responsibility of everyone. Here are a few reminders: Staff members should always be aware and observe their surroundings, and they should report any security violations to the Service Desk, There is no expectation of privacy when using Department of Revenue owned Resources, Protect, and do not share, your logon credentials, do not change any security settings of resources, Staff members should not put any offensive, libelous, harassing, or discriminatory statements into electronic communications such as text messages or emails. Do not attempt to access data, resources, or media that is not appropriate for your duties or which you are not authorized, Slide 26 - Staff Security Responsibilities (continued)


of 95

Immediately report to the Service Desk any discovered access to resources or data that is not appropriate for yourself or other staff members. Report any suspicious behavior that might indicate an insider threat to the Service Desk. The next slide discusses an insider threat.


of 95


Slide notes An Insider Threat is a malicious threat to an organization that comes from people within the organization. It is important that all staff know how to recognize potential indicators of an insider threat: Some behaviors that you may observe in the individual are as follows: Violating agency policy, showing disregard for rules, working odd hours without authorization Unnecessary copying of material, especially if it is proprietary or classified Interest in matters outside the scope of their duties You must report all suspected insider threats to the service desk.


of 95


Slide notes Here are some different ways you can help to prevent threats to the Agency: If you are, a manager and need to request access for your team members, Remember, you should only request the least amount of privileges needed for your staff to perform their job duties. Always verify the identity of any third-party persons (i.e. people claiming to be repair or maintenance personnel), prior to granting them access to any area of the facility or to modify or troubleshoot any resource. In the event of a staff member termination, or other separation of service, report it immediately to the security guards and the service desk.


of 95


Slide notes Did You Know? Sometimes there is confusion about which manager should submit the “aim Transfer Form” whenever staff are transferred.


of 95


Slide notes Although agency staff members have access to the Internet, please remember the following safety precautions: Internet usage is monitored for all staff members; Do not download any software without prior approval from the Chief Information Security Officer; Any approved files downloaded from the Internet must be scanned for viruses in accordance with the procedures listed on our Revenue’s intranet. No Federal Taxpayer information or confidential information shall be transmitted over the Internet without prior approval of the Chief Information Security Officer. This is to ensure the communication is approved and is sent using approved secure methods. All internet email accounts, such as Hotmail, Gmail, and Yahoo are prohibited at Revenue. And when using a messaging system, please remember Confidential information and FTI should only be disclosed to authorized participants with an established business need, and the information must be used for processing a valid business request. All messages are subject to North Carolina Public Record laws.


of 95


Slide notes Did You Know? Emails are considered to be a public record. Please review the information provided on this slide to learn more.


of 95


Slide notes There are many social media outlets and all are easily accessible; however, unless you are authorized by the Secretary of Revenue, do not make statements about Revenue using these outlets. Also, do not use Revenue logos or letterheads without prior approval. Revenue staff should never make offensive comments or engage in communications that violate the privacy or public rights of others.


of 95


Slide notes Did You Know? Posting on Social Media regarding an incident is considered indirectly communicating with the media. The Agency has designated the Public Affairs Office as the only department authorized to communicate with the media and to make statements on behalf of the Agency on social media regarding incidents or any other issue.


of 95


Slide notes Along with creating and using strong passwords, you can also protect the access of information by locking your computer. Because you are responsible for any activity that takes place under your user I.D., it is required that before you leave your seat, always lock or shut down your computer when unattended. You can lock your screen by using the following key combinations: Control, Alt, Delete and then the Enter key, or by pressing the Windows key and the “L” key. For your convenience, an example of what these keys look like has been provided on this slide. By taking these appropriate measures, it will help to safeguard not only yourself, but also taxpayer information.


of 95


Slide notes If any mobile resource has been assigned to you, for example: laptops, smart phones, or tablets, you are responsible for their security. All mobile resources are considered secure while inside Revenue facilities, unless otherwise indicated. While outside of Revenue facilities, mobile resources should be stored out of plain sight and, when possible, under lock and key. When traveling by common carrier, for example: airplane, train, bus, or boat, mobile resources should not be checked as baggage.


of 95


Slide notes To prevent the possibility of system viruses, do not install or connect any non-Department of Revenue issued hardware or media to any Department of Revenue device or network. When in doubt, here is an easy way to remember: if the Department of Revenue did not issue it to you, do not put it into a D.O.R. computer. The only exception is if there is a valid business need, and proper precautions, such as virus scanning, has been performed prior to connecting it to the Department of Revenue network. Examples of hardware and media may include CDs, Modems, Flash Drives, MP3 Players, Personal Data Devices, iPods, and smart phones.


of 95


Slide notes If there is a business need that requires you to receive external electronic media, such as a CD, USB drive, or Flash drive from a taxpayer or other state agency, remember that all electronic media must be scanned for viruses before being stored or used on any Revenue system. To do this, you can access the Electronic Media Scanning instructions located on the Information Security intranet under the “Procedures” pages. The first thing you will see in the instructions is to disconnect from the network, so if the media has a virus it won’t spread beyond your computer.


of 95

Slide 38a - Staff Security Responsibilities


of 95

Slide 38b - Staff Security Responsibilities


of 95

Slide 38c - Staff Security Responsibilities


of 95


Slide notes Did you know? A passphrase is one of the most recommended methods to use when creating a password. Take a moment to read this over and review the examples.


of 95

Slide 40 - Email Best Practices

Slide notes Now that we have explained the security responsibilities of all Revenue staff, let’s discuss some best practices for email.


of 95

Slide 41 - Email Best Practices

Slide notes It is important that all personnel understand the risks associated with responding to spam. Here are a few reasons why you should NEVER respond to Spam. Responding to Spam will, let the Spammer know your account is active, then they can pass your information onto other spammers, which will cause a great increase in the amount of spam you receive. You should note clicking the “Unsubscribe” link is also considered responding. Responding will allow the Spammer to potentially coax you into giving him or her sensitive information. Due to the fact that spam emails often bear fake source email addresses, by responding you may unwillingly collaborate in a devious scheme meant to saturate the mailbox of some unsuspecting target victim. If you believe you have received a spam message, you should always report it to the Service Desk. The next slide will review how to report it.


of 95

Slide 42 - Did You Know...

Slide notes Did you know? When reporting spam emails to the service desk, it is important that you do not forward the email. This is to prevent accidental clicks that could infect the network. Review the steps on how to attach a suspicious email to a new email as an attachment. If you’d like to review full instructions, please see the “Procedures” directory of the Information Security pages on the intranet.


of 95

Slide 43 - Did You Know...

Slide notes Did You Know? It is always a good idea to check your email at least twice before hitting the send button to ensure that you have reviewed what information you are sending out and who you are sending it to.


of 95

Slide 44 - How to identify Phishing Emails...

Slide notes Another way to identify phishing emails is to check the grammar of the email. Especially if the email is from a business. This could be a sign that something is not right. Beware of urgent or threatening language in the email - Attackers want you to open the email and click on links and they will try to use tricks like these to make you feel a sense of urgency to do just that. Don’t give out personal information - These days, very few people and businesses would request your personal information over the phone, by text, or by email. Any request for this type of information should give you reason to pause and evaluate the situation.


of 95




of 95

Slide 47 - Phishing for a Phish

Slide notes Let’s see if you can use the best practices from the earlier slides. Take a moment to evaluate the email included on this slide. Then, review the answers on the next slide.


of 95

Slide 48 - Phishing for a Phish (cont.)

Slide notes How did you do? Did you spot the grammatical errors such as a-r-e instead of o-u-r? Or the word “accounts” instead of the singular form, account? Did you notice the sentence structure error such as “information has need to be confirmed?” Did you notice the line, “your account has been suspended until you take further action or the line “failure to confirm your records may result in your account suspension?” This tactic is used to create a sense of urgency. Notice that when we hover over the link, the pop-up window displayed a link that was much different than the link text would lead you to believe! In this situation, a quick phone call to your bank could confirm your suspicions that this is a phishing email.


of 95

Slide 49a - Did You Know?


of 95

Slide 49b - Did You Know?


of 95

Slide 50 - Facility Security Policy Reminders

Slide notes Now that we have explained some email best practices, let’s discuss a few facility security reminders.


of 95


Slide notes Here are some reminders about facility security policies. You should always wear your badge between the neck and waist. This allows all Staff; including those who are responsible for security of our building know who you are and that you are NCDOR staff. Always report a lost or stolen badge immediately to the service desk, security guard, or Director of Business Operations. Personnel should never share their badge with anyone. NCDOR visitors must be escorted at all times. Personnel should never allow another individual to “piggyback” or “tailgate” through security checkpoints (e.g. doors with badge access).


of 95

Slide 52a - Did You Know?


of 95

Slide 52b - Did You Know?


of 95


Slide notes There may be situations where staff need to use or access Revenue information while away from a Revenue facility. These locations are considered alternative work sites. Some examples of acceptable alternative work sites may include: A customer’s tax office, an employee’s hotel room during official business travel, or a teleworker’s home office. Even though staff may be conducting official business with a customer, staff are reminded to refrain from accessing or discussing Revenue business in public areas, such as airports or coffee shops. Discussing Revenue information in these types of locations may put staff at risk of making an unauthorized disclosure of confidential information.


of 95


Slide notes It should also be remembered that the same security safeguards are required when handling confidential information at alternative work sites as you do when working within a Revenue facility. Some examples include: Adhere to the agency’s clean desk policy, Be aware of your conversation level as not to be overheard by others, Update your voice message to inform taxpayers not to leave Personal Identifiable Information. Forward business calls to your Revenue issued cellular phone that requires a PIN to retrieve messages. And, do not leave confidential information on any unattended computers.


of 95


Slide notes Interruptions and distractions could result in consequences such as: Sending information to the wrong person. For example forwarding an email to the wrong person or sending taxpayer information to the wrong taxpayer. Visible screens and uncovered paperwork have the potential to be seen by individuals who are not authorized.


of 95


Slide notes Besides protecting employees against potential threats, Federal Taxpayer Information housed at Revenue has additional facility security safeguards in place to protect that information. To do this, Federal Tax Information stored at Revenue must be secured using two barriers of protection. Examples of protection barriers may include locked or secure building exterior, and locked interior room, or, locked interior room, and locked security container, or locked file cabinet.


of 95


Slide notes Information housed at Revenue must also be properly labeled so that others know how to protect it. Federal Taxpayer Information should be labeled on documents and folders, And, it should also be labeled on file cabinets, and wherever Federal Taxpayer Information is contained.


of 95


Slide notes Did you know? If you are unable to badge into an area, that means you are not authorized to enter the area without an authorized staff escort.


of 95

Slide 59 - Let's Review

Slide notes Let’s review what we’ve discussed in this training: FTI and STI must NEVER be disclosed to any unauthorized individuals. Copies of data inherit the classification of the source, even if in a different format. Due to the confidential nature of Personal Identifiable Information (P.I.I.), it must be properly handled and protected. Payment card information should never be stored in an unencrypted format. Destruction of Tax Information must be done by means of a cross-cut shredder, or it can be placed in (an appropriately labeled) shred bin. The Service Desk must be contacted any time there is a suspected incident. Slide 59 - Let's Review (continued)


of 95

Slides notes (continued) Personnel should lock their screen before walking away by using Ctrl + Alt + Delete, Enter or the Windows key + the L key. Software should be approved by the Chief Information Security Officer (C.I.S. O.) before being downloaded or installed. Strong passwords do not include words found in the dictionary. If used they should be modified.


of 95

Slide 60 - Let's Review

Slide notes Work emails are considered to be a public record. Your only response to spam should be to report it to the Service Desk, by attaching it to an email and sending it to them (Never forward a suspicious email). Often a simple phone call to the sender can help to verify the source of an email. Just because you have access to a restricted area, does not mean others do, so you should NEVER allow someone to tailgate or piggyback through check points. If you hear a knock at the door while you are working onsite and you cannot see the source, don’t answer. Badges should be worn between the neck and waist at all times. You must follow the same safeguards when at an alternate worksite, as you do when at DOR. All personnel must be escorted while in an area where their badge does not permit them access.

Slide 61 - Check Your Knowledge Assessment


of 95

Slide notes Please review the quiz instructions carefully. The following quiz will test what you have learned in this training module. There are 13 Multiple Choice and True/False questions on the quiz. Each slide includes one question. The quiz questions are set for multiple attempts. Review the questions and answer choices, then select the appropriate answer. Use the Clear button when you want to clear an answer before submitting it. After you select the correct answer, use the Next button to advance to the next question slide. NOTE: You will not be able to advance to the next slide until you have selected the correct answer. Use the Submit button to submit your answer.


of 95

Slide 62 - Question 1


of 95



of 95

Slide 76 - Additional Resources

Slide notes If you would like more information regarding the material covered in this training, please see the additional resources that have been provided on this slide. For your convenience, all links can also be found on the internal Information Security pages of the intranet, and can be downloaded for later use.


of 95

Slide 77 - Annual Acknowledgement

Slide notes And remember, your training is not considered complete until you complete the acknowledgement in the LMS. Acknowledgement of the 2018 Information Security and Privacy Awareness Training in the LMS is the final step. For your convenience, the NC Department of Revenue Security Policies Annual Acknowledgement has been provided on this slide.


of 95

Slide 78 - Questions

Slide notes If you have questions regarding the information in this Information Security and Privacy Awareness Training module, you can contact the Chief Information Security Officer, or the Information Security Manager, or the Information Security Compliance Analysts listed on this screen. Thank you.

welcome to the north carolina department of revenue’s ... · the game includes information...

Documents